Log Files Decoy

Engage Goals: EGO0001 Expose

Engage Approach: EAP0002 Detect

Engage Actions: EAC0005 Lures, EAC0015 Information Manipulation

Name of Element: Log Files Decoy

Description of Element:

An Event Log decoy is a deception technique used to engage adversaries by creating fake event log files that mimic legitimate system logs. These decoy logs are strategically placed in typical log directories (such as C:WindowsSystem32LogFiles on Windows or /var/log/ on macOS) and are populated with realistic but fabricated entries that resemble normal system activities, such as user logins, system errors, or security alerts.

The purpose of the Event Log decoy is to lure attackers into interacting with these logs, either by reading, modifying, or deleting them. When an adversary engages with the decoy logs, it triggers alerts that allow defenders to detect and monitor their activities. This technique not only helps in detecting unauthorized access but also provides valuable insights into the attacker’s methods and objectives.

Event Log decoys are typically monitored using File Integrity Monitoring (FIM) and auditing tools to ensure that any interaction with the decoy logs is captured and analyzed in real-time, thereby enhancing the overall security and detection capabilities of the environment.

Technical Context:

1. Creation of Decoy Log Files

• Naming and Placement:

  • The decoy log files should be named similarly to legitimate log files and placed in directories where genuine log files are typically stored. For instance, on macOS, this could be in /var/log/, /Library/Logs/, or application-specific directories.
  • Examples include system.log, auth.log, or custom logs like security_agent.log.

• Content Simulation:

  • Populate these decoy log files with plausible but fabricated entries that mimic real system activity. The content should reflect typical log entries such as user logins, process executions, security alerts, or network connections.
  • Use log generators or scripts to update these files regularly, ensuring they appear active and relevant to the system’s operations.

2. Monitoring and Detection

• File Integrity Monitoring (FIM):

  • Implement FIM on these decoy logs to detect unauthorized access, modifications, or deletions. Tools like Tripwire or native audit frameworks can be configured to monitor the decoy log files for any changes.
  • Configure alerts for specific actions, such as when an adversary attempts to modify, delete, or copy these logs.

• Access Auditing:

  • Enable auditing on the directories and files containing the decoy logs. Capture and log any read, write, or execute actions performed on these files.
  • Use system auditing tools like auditd (on macOS and Linux) or Windows Event Logs to track access patterns that could indicate adversarial behavior.

3. Response Mechanism

• Trigger Alerts:

  • When access or modification to the decoy log files is detected, trigger an immediate alert to the security operations team. This can be integrated with SIEM systems for centralized monitoring and correlation with other security events.
  • Consider automating responses, such as isolating the endpoint, increasing logging verbosity, or redirecting the attacker to a honeypot environment for further monitoring.

• Logging Interaction:

  • Capture detailed logs of the adversary’s interactions with the decoy log files. This includes the specific commands they used, the processes they spawned, and any network activity that followed their actions.

4. Integration with Broader Deception Environment

• Correlation with Other Decoys:

  • Integrate the decoy log files with other decoys, such as fake services or credentials. For example, entries in the decoy logs could suggest the existence of other valuable assets (e.g., sensitive data or admin accounts), leading the adversary deeper into the deception.
  • Use the decoy logs as breadcrumbs that guide the adversary towards more sophisticated traps, providing valuable insights into their objectives and techniques.

• Regular Updating:

  • Regularly update and rotate the decoy log files to ensure they remain relevant and believable. This includes simulating recent activities that align with ongoing operations or known adversary TTPs.
  • Consider using scripts or automation tools to generate these updates, mimicking real-world log rotation and archival processes.

5. Example Implementation

• Bash Script for Log Generation:
  bash

   

  Copy code

  #!/bin/bash
# Create a decoy log file with fake login entries
LOG_FILE="/var/log/decoy_auth.log"
echo "$(date) - root: Authentication successful" >> $LOG_FILE
echo "$(date) - admin: Authentication failure" >> $LOG_FILE
echo "$(date) - user: SSH session opened" >> $LOG_FILE

  • This script generates entries that look like user authentication logs. It should be set to run periodically to keep the decoy log active.

6. Detection of Specific TTPs

• T1070.004 – Indicator Removal on Host: File Deletion:
  • If an adversary attempts to delete the decoy log files, it could indicate an attempt to cover their tracks, triggering an alert for potential indicator removal activities.
• T1562.001 – Impair Defenses: Disable or Modify Tools:
  • Attempts to modify or disable the logging mechanism associated with the decoy log files can be detected, indicating an adversary’s effort to impair the system’s defenses.

By implementing decoy log files with these technical considerations, you can effectively mislead adversaries, gather intelligence on their methods, and enhance your overall detection and response capabilities.

1. Windows Log File Decoys

Creation of Decoy Log Files

• Naming and Placement:

  • On Windows, log files are often stored in directories like C:WindowsSystem32LogFiles or C:ProgramData. You can place decoy logs in these locations with names resembling critical system logs, such as Security.log, SystemEvents.log, or Firewall.log.
  • You might also mimic application-specific logs like C:Program FilesYourAppLogsApplication.log.

• Content Simulation:

  • Populate the decoy logs with fabricated entries that mimic real Windows Event Logs or application logs. These could include events such as user logins, application errors, or firewall rule changes.
  • Use scripts or utilities like PowerShell to periodically update these logs with fresh entries to maintain their realism.

Monitoring and Detection

• File Integrity Monitoring (FIM):
  • Use Windows tools like Sysmon combined with a Security Information and Event Management (SIEM) system to monitor access to these decoy logs. Configure Sysmon to generate events whenever the decoy log files are accessed, modified, or deleted.
• Auditing:
  • Enable auditing on the decoy log files and their directories. Use Local Security Policy settings to audit file access attempts and generate alerts when unauthorized access is detected.

Response Mechanism

• Trigger Alerts:
  • Configure your SIEM or Windows Event Forwarding to trigger an alert whenever the decoy logs are accessed. This could include notifications through email, SMS, or integration with a SOAR platform for automated response.
• Interaction Logging:
  • Capture detailed information about the actions taken on the decoy files, such as the commands used, user accounts involved, and any resulting network activity. This can be logged and correlated with other security events for a comprehensive view of the adversary’s actions.

Example Implementation

• PowerShell Script to Generate Decoy Logs:
  powershell

   

  Copy code

  $LogPath = "C:WindowsSystem32LogFilesDecoyFirewall.log"
Add-Content $LogPath -Value "$(Get-Date) - Firewall rule created: Allow inbound TCP 445"
Add-Content $LogPath -Value "$(Get-Date) - Firewall rule modified: Block all outbound traffic"

  • This script creates a decoy log file that appears to be tracking firewall activity. Run this script on a schedule to keep the decoy log updated.

2. macOS Log File Decoys

Creation of Decoy Log Files

• Naming and Placement:
  • On macOS, logs are typically found in directories like /var/log/, /Library/Logs/, or user-specific logs in ~/Library/Logs/. Create decoy logs with names such as system.log, auth.log, or firewall.log that match the naming conventions of legitimate system logs.
• Content Simulation:
  • Populate the decoy logs with entries that mimic normal macOS system behavior, such as user logins, system events, or application usage. These can be created using shell scripts or log generation tools.
  • Ensure the logs are regularly updated to reflect ongoing system activity, making them appear as part of normal operations.

Monitoring and Detection

• File Integrity Monitoring (FIM):
  • Use macOS’s native tools like fs_usage or third-party solutions to monitor changes to these decoy log files. FIM can be configured to trigger alerts when unauthorized access or modifications occur.
• Auditing:
  • Utilize auditd or macOS’s built-in auditing framework to track access to the decoy logs. Configure audit rules to log any interaction with these files and alert the security team when suspicious activity is detected.

Response Mechanism

• Trigger Alerts:
  • Configure your SIEM or log management system to generate alerts when interactions with the decoy logs are detected. Integration with SOAR can help automate responses, such as isolating the affected endpoint or increasing logging verbosity.
• Interaction Logging:
  • Capture and store detailed logs of any interactions with the decoy files, including the processes involved, user accounts, and any associated network activity. These logs can be used for forensic analysis or to refine the deception strategy.

Example Implementation

• Bash Script for macOS Decoy Logs:
  bash

   

  Copy code

  #!/bin/bash
# Create a decoy log file with fake system events
LOG_FILE="/var/log/decoy_system.log"
echo "$(date) - com.apple.xpc.launchd[1]: Service exited with abnormal code: 1" >> $LOG_FILE
echo "$(date) - com.apple.xpc.launchd[1]: com.apple.securityd exited with exit code: 0" >> $LOG_FILE
echo "$(date) - com.apple.xpc.launchd[1]: Service only ran for 0 seconds. Pushing respawn out by 10 seconds." >> $LOG_FILE

  • This script generates entries that simulate typical macOS system event logs. Automate its execution to maintain the decoy log’s freshness.

General Tips for All Platforms

• Regular Updates: Ensure that decoy logs are regularly updated with plausible content to avoid detection by savvy attackers. Use automation tools to rotate logs and refresh their content.

• Interactivity: Consider implementing decoy logs that respond to certain actions, such as logs that grow when accessed, to increase the likelihood of engaging the attacker.

By applying these strategies for both Windows and macOS environments, you can effectively deploy decoy log files that engage adversaries, gather intelligence, and strengthen your overall cybersecurity posture.

Other: